Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

India orders VPN companies to collect and store user data

It seems that India is following the path of Russia and will monitor the online activities of its citizens more closely. Its most recent move will force internet infrastructure providers, including VPN services, to collect and, if requested, hand data over to the country's governing bodies.

Paulius Ilevičius

Paulius Ilevičius

India orders VPN companies to collect and store user data

What CERT-in wants

As a result of CERT-in's order, on June 26, 2022 NordVPN will shut down its servers operating in India. However, apart from this, NordVPN services will operate as usual in the country.

India's Computer Emergency Response Team (CERT-in) ordered VPN companies, data centers, ISPs, hosting providers, and other internet infrastructure companies operating in India to collect their customer data, store it for five or more years, and hand it over to the government if requested. That means that a VPN company with servers in India may no longer be able to guarantee privacy for its users. The government body asks such companies to collect and report such data as:

  • Users' full names, physical addresses, email addresses, and phone numbers.
  • Their reason for using a VPN.
  • The dates of usage of the service.
  • The IP addresses and emails used by users to register for the services as well as registration time stamps.
  • All IP addresses issued for a user by a VPN provider and a list of IP addresses used by its customers.

Those that do not comply with the regulation can potentially face up to one year in prison. The directive also applies to cloud service providers and data centers. If it passes, the directive will take effect on June 28, although an interim period will pass until its full implementation.

Many major VPN providers adhere to strict privacy policies, which means that they don't collect or store customer data. No-logging features are usually embedded in their server architecture, and it would be complicated for providers to change it. Moreover, a reliable VPN company wouldn't agree to such a requirement for ethical and reputational reasons. So the passing of this law would mean that many premium VPN services would no longer be able to keep servers or even operate in India.

India's online freedom record

India doesn't rank high in terms of internet freedom, so such a request does not come out of the blue. In 2012, Reporters Without Borders added India to the list of countries under surveillance due to its internet surveillance practices and the pressure placed on service providers by the government. Freedom House also identifies India's internet as “partly free.”

Following the November 2008 terrorist attacks in Mumbai, the Indian Parliament amended the Information Technology Act (ITA) and expanded the government's censorship and monitoring capabilities.

India's internet restrictions haven't become more relaxed in recent years, either:

  • In 2020, it banned over 200 Chinese apps.
  • In 2021, it banned 22 YouTube channels.
  • In 2012, the country issued summonses to Google and Facebook headquarters for objectionable content.
  • In 2021, India tried to force Twitter to ban over a thousand accounts related to farmers' protests, thus censoring free speech.
  • In 2020, the country also initiated 109 internet shutdowns, and that number is not likely to decrease.

In the context of such events, VPN services are essential to Indian users who wish to enjoy a free online space. However, the pending directive will make VPNs a less compelling option for protecting online privacy.


Paulius Ilevičius
Paulius Ilevičius Paulius Ilevičius
Paulius Ilevičius is a technology and art enthusiast who is always eager to explore the most up-to-date issues in cybersec and internet freedom. He is always in search for new and unexplored angles to share with his readers.